The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

TDSS loader now got “legs”

Sergey Golovanov
Kaspersky Lab Expert
Posted June 03, 14:40  GMT
Tags: Rootkits, x64, DNS, TDSS

The TDSS loader, a malicious program that we wrote a lot about (e.g. here and here) now has legs, i.e. a tool for self-propagation. TDSS is a very complicated piece of malware and the cybercriminals have created an ingenious propagation tool for its loader.

The TDSS loader was named Net-Worm.Win32.Rorpian and has two methods of propagation:

  1. Via removable media
  2. Via a LAN

When propagating via removable media, the worm creates the files setup.lnk, myporno.avi.lnk, pornmovs.lnk and autorun.inf. These files contain a link to the file rundll32.exe whose parameters reference the worm’s DLL. This is a standard technique used in many malicious programs.

The worm uses the following methodology when working with a LAN. To infect a computer, the worm checks if a DHSP server is used in the network. If the victim computer is located on a network using the DHCP protocol, the worm starts scanning the network to see if there are any available IP addresses. After that, the worm launches its own DHCP server and starts listening to the network. When a DHCP request from a computer in the local network arrives, the worm attempts to respond to it before the “official” DHCP server does, and species the following:

  1. An IP address from the pool of available IP addresses
  2. The main gateway specified on the infected computer
  3. The address of the malicious DNS server belonging to the cybercriminals After these manipulations, whenever the user tries to visit any web page, they will be redirected to the malicious server and prompted to update their web browser.

Fragment of Net-Worm.Win32.Rorpian code that works with the DHCP protocol

The user will only be able to visit sites after agreeing to install an “update”. If the user agrees, they unwittingly download a variant of Net-Worm.Win32.Rorpian. After infecting the user’s computer, it changes the DNS settings into a Google server address and lets the user browse.

Screenshot of the malicious site from which the worm propagates

Thus the Net-Worm.Win32.Rorpian worm acts as a loader for TDSS, one of the most advanced and sophisticated malicious programs around. The worm leverages the users’ indiscretion – the most dangerous vulnerability of them all.

PS Acknowledgements go to Evgeny Aseev for his help in preparing this article.


Newest first
Table view


2014 Feb 27, 11:40

okay is this related??

You guys are only ones that seem to be on track with a malware issue I have. Could it be related to this one by any chance at all? I looked at it in my EFI shell and it has infected my bios and replaced the first driver loaded with a chain loader ACPI Dll. It uses that for a group of drivers called 'DXE_CORE' and they refer to an image in a active embedded memory block elsewhere for the files. It uses the acpi driver to embed a img/bin over any medium that I can use to install an o/s or boot for virus scan and loads its version of the install or o/s. It has a lot of similarities to this but also other items on your blog. It seems to use hypervisor in windows to sandbox any attempts to scan it for viruses and only time I've ever seen success is with the fixmestick usb but it put it in quarantine on hard drive where it was locked down again by the malware. I used testdisk and found alternate data streams that had hidden inf files and boot directories with 32 languages and font directory. It allso modified my notepad so that it processes and translares all opened files as unicode immediately. Ever heard of anything like this? (this is limited description, but it effects, win, linux,macbook, and I think even my androirds got their bootkit from it too)


Donna J.Marn

2011 Jul 09, 18:59


I just wanted to welcome you all to Ohio.You guy's are Brilliant!Thanks for being here!



2011 Jul 09, 05:41

Re: Re: how can I remove this

hello segey, i got problem that. i will try....thanks



2011 Jul 01, 13:43

Bootkit Virus

I recently removed this virus with the help of your tools on this website, however after removing it my computer constantly blue screens, safe mode, debug mode, last good config, everything.

I'm assuming this is because it altered/deleted my MBR. Do you guys use any particular programs you use to protect the master boot record from writing. I have googled but it but had little success.


Sergey Golovanov

2011 Jun 30, 15:43

Re: .lnk

"plain .lnk" one)



2011 Jun 20, 08:23

hi, im hoping you can help me

Is it possible to have multiple rootkits or worse yet is there a rootkit os that your aware of?

The rootkit on my home computer closely resembles the rootkit your explaining; however, I suspect my computer may be on a vm (java, i think), Im not a programmer, however, Ive gathered as much info as possible. It does self propogate and spreads as you describe supra. It takes control over the acpi, uses colors to manipulate the gui, flips the gui and then injects xml asian characters that are hidden in white space. It also uses a border and shadow background image to shadow but Im not sure. It stores files in movies, speech, fonts, printer, bypasses all security certificates, sets up a public server on my desktop, injects more xml via rss feed into browser. It is manipulating my monitor as well. The Worst Part - It viciously attacks the cpu and with variety of photoshop filters, and has set my L2Cache to a negative five offset. It has its own freedos with its own api so I cant even use my seagate cd to view the hard drive. Is there a rootkit to date that acts like an entire os? I see that it completely replaces the registry with a streaming virus that sings lalala fun something, the symbols it uses when I change the font to webding is really evil as well and manipulates the video settings. Is this a rootkit os with a windows 7 shell? Can you help me, and if so, can you please point me in the right direction. Im frustrated beyond tears.

Edited by pls.help, 2011 Jun 20, 08:38



2011 Jun 16, 21:53


Is the .lnk related at anyway with the autorun functionality (something like the .lnk exploit which led to autoexec) or is it just a plain .lnk that aims to target the user by accidentally clicking it?


Sergey Golovanov

2011 Jun 07, 14:52

Re: how can I remove this

Hello Joe.
You can download and run this tool for disinfection



2011 Jun 07, 00:28

how can I remove this

I have this virus.....where can I go to get the best fix to remove it...any suggestions?


Sergey Golovanov

2011 Jun 06, 18:52

Re: ask bin

> can i have a bin from you


Sergey Golovanov

2011 Jun 06, 16:16

Re: additional spreading vector

Yes) +1



2011 Jun 06, 08:41

additional spreading vector

In seeing it in action it will scan for writable network shares and copy the five files(setup.lnk, myporno.avi.lnk, pornmovs.lnk, autorun.inf and setup.fon) to shares that it has write access to.



2011 Jun 03, 20:40

ask bin

hello, i have interest in the vlan spreading skill, can i have a bin from you ,thanks very much!

If you would like to comment on this article you must first

Bookmark and Share